Monday 9 November 2015

Do you deserialize Java objects? Jenkins zero day and vunls in WebLogic, WebSphere, JBoss, OpenNMS and Appache commons

Last week the What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? vulnerability research was published and it included a number of quite worrying exploits on Java apps, more specifically on apps that use the Apache commons library (update: it looks like this is not a vuln in Apache commons, but in how it is used).

This is following up the Java Deserialization research published earlier this year on Marshalling Pickles and Exploiting Deserialization Vulnerabilities in Java (which is a variation of the XStream/XMLDecoder vulns/research I was involved in 2013)

It also looks like the Jenkins issue mentioned in the latest research doc is a zero-day on Jenkins: Mitigating unauthenticated remote code execution 0-day in Jenkins CLI

Since this is a vulnerability that allows RCE (Remote Code Execution), it is really important to understand the internal/external exposure to java deserialization, Jenkins and apache commons usage.